Blog

Detection engineering deep-dives, research, and threat analysis.

AI-assisted Entra ID tenant destruction and how to detect it

How AI can automate Entra ID tenant destruction and what it leaves behind in Entra ID audit logs.

Threat Intelligence in Sentinel: MDTI and custom Feeds

This blog post explains how Security Teams can integrate threat intelligence feeds into KQL-based detections; from Microsoft Defender Threat Intelligence (MDTI) to open source feeds.

How KQL can be used to detect stealthy backdoors in Entra ID applications

A breakdown of Service Principal credential persistence in Entra ID and how to detect it with KQL.

Detecting MCP and OpenClaw with KQL

AI agents are redefining 'the weakest link' means in enterprise architecture. A KQL-based solution to detecting OpenClaw and MCP in modern environments.

Reversing CanisterSprawl for KQL detections

A technical breakdown of CanisterSprawl; the second iteration of the CanisterWorm supply chain operation, now with active self-propagation, cross-ecosystem PyPI infection, and upgraded exfiltration infrastructure.

Using KQL to detect BYOVD attacks via known vulnerable LOLDrivers

A practical approach to detecting Bring Your Own Vulnerable Driver (BYOVD) activity using KQL and LOLDrivers.